InfoSec Handlers Diary Blog

One of our readers, Alan, wrote in wanting to start a discussion about the proposed "Internet Safety (Stopping Adults Facilitating the Exploitation of Today's Youth) Act" currently being proposed in the Senate S. 436 and House H.R. 1076.

As incident handlers and parents, most of us understand our responsibility for dealing with any child pornography issues. Legally and ethically we are bound to immediately turn any such information over to the authorities. I totally support additional ways to protect innocent children from this horrendous crime. It seems to me though, that the technical issues of the bill aren't being dealt with. Are the politicians getting the technical advice from us they need to actually make this bill work?

Here is what Alan wanted to see discussed:

"Do they understand that RFC-1918 private IPs are not Internet routable and the only IP which is is the one assigned to the gateway router, therefore making this not a home user/business issue? I'd like to see someone with an understanding of this distinction in IP addresses actually comment on this."

There are plenty of "politically charged" discussions going on about this bill already, so please let's keep the comments to the technical aspects of the IP addressing and data retention issues. Hopefully we can provide some insight for our legislators with your comments. I'll keep posting updates as we get your responses. Post your comments here.

Comment 1: Robin wrote and hit the nail on my two concerns. "...let's start with the requirement for keeping two years worth of logs. This is a pretty burdensome requirement for many small businesses and individuals.

Next, what about DHCP? This Bill would force businesses to link DHCP records to Internet use records. For practical reasons this would force businesses into implementing lengthy (or never expiring) DHCP leasing. Many businesses that use DHCP have little control over their DHCP space. This would force such businesses into some rearchitecting of their networks, so that DHCP activity was attributable."

Comment 2: Dave wrote in with this, "I believe the law needs to by definition include private networks, companies and individuals that use them, and local Internet and Intranet traffic as well. It should also, in my opinion, include all methods and means of storage and transfer of data. It really would not be that hard to include this information and the definitions into the amendment."

Comment 3:From Drew, "Unfortunately, the act does not consider the impact to rights of the common home user. Now, if the abuser uses someone's open access point, the crime is traced back to that residential account and that person is accused. Even if law enforcers are unable to create a convincing case for an obviously erroneous charge against that person's character, they could impose an undue financial burden on them in the form of fines and possible prosecution for non-compliance. This puts the burden of proof not on the law enforcer, but on the innocent to prove their innocence. Without charge or some kind of compliance responsibility for others, it places a monitoring/auditing compliance requirement on the private citizen, reducing their independence to manage their network as they see fit. It could be argued that this would be akin to warrantless monitoring, which is clearly unconstitutional for domestic residents."

UPDATE: Thanks for all your info. I have made this information available to Congressman Lamar Smith and Senator John Cornyn. Hopefully we can help make a difference, at least technically.